Today, data is undeniably an invaluable asset. And this means that the risk of incidents and data breaches has become a significant concern for organisations the world over.

In fact, the 2023 Cyber Security Breaches Survey found that 69% of large businesses, 59% of medium businesses, and 32% of businesses overall experienced breaches or cyber-attacks in the past 12 months.

Despite this, only three in ten businesses have undertaken cyber security risk assessments, and just 30% deployed security monitoring tools. The survey also found that only three in ten businesses (30%) have board members or trustees who are explicitly responsible for cyber security as part of their job role.

With stringent privacy laws here in the UK, it’s crucial for businesses to have a robust incident and data breach management framework in place to help protect their company, its reputation, and any customer data – should the worst happen. This blog will guide you through the essentials of managing incidents and data breaches effectively.

Understanding Incidents and Data Breaches

First up, let’s look at what we mean by ‘incidents’ and ‘data breaches’.

  • Incident: An incident refers to any unexpected event or occurrence that may compromise the security, integrity, or availability of an organisation’s information systems. This can include unauthorised access attempts, malware infections, or system outages.
  • Data breach: A data breach occurs when there is any instance of unauthorized access, disclosure, or acquisition of sensitive information. This could involve personal data, financial records, or any other confidential information that you are trusted to protect.

Roles and Responsibilities of Incident Response Teams

Some businesses choose to establish an Incident Response Team (IRT) for added peace of mind. An IRT is typically made up of an incident coordinator, technical experts, and a communication coordinator. Here’s what they do:

  • Incident Coordinator: Oversees the entire incident response process.
  • Technical Experts: Handles the technical aspects of incident resolution.
  • Communication Coordinator: Manages communication with internal and external stakeholders.

Best practice would be to predefine these roles within the organisation so that the incident management response activities can be carried out quickly and more smoothly, than if the incident response team was formed, adhoc, at the time that the incident was discovered.

Other organisations find it easier – and more effective – to partner with external experts who can step in to handle incidents and data breaches as and when they arise.

The 2023 Cyber Security Breaches Survey found that 69% of large businesses, 59% of medium businesses, and 32% of businesses overall experienced breaches or cyber-attacks in the past 12 months. Despite this, only three in ten businesses have undertaken cyber security risk assessments.

Understanding Reporting Requirements

Whether you choose to handle incidents and data breaches internally or externally, it’s important to understand the reporting requirements when a problem arises. Let’s look at the reporting lifecycle:

Initial Reporting – Any employee who suspects or observes a security incident must report it immediately to the designated incident coordinator. It is important that your security training for staff includes information on how to identify and report incidents.

Following Identification of a Breach – If a data breach is confirmed, an organisation must consider:

  1. Does the data breached contain personal data
  2. Are controls in place that would mitigate the impact of this breach
  3. Is the unauthorised disclosure of this data likely to impact on a data subject’s rights and freedoms (i.e., including harm or distress)
  4. Whether or not the breach is deemed a reportable breach
  5. Whether or not the likely impact warrants reporting to the data subject(s) themselves.

Remember that reporting a data breach to the Information Commissioner’s Office (ICO) needs to be done within 72 hours of becoming aware that personal data may potentially have been affected, and not after an investigation to verify this is the case. Do not wait for the investigation to be complete before reporting the incident.

After you have reported a breach to the ICO, you can always come back to them following an investigation and let them know if the data you suspected had been breached, hadn’t actually been breached.

End of the Incident/Breach Management Lifecycle – A comprehensive incident report must be generated, detailing the incident, response actions taken, and preventive measures implemented.

Image showing laptop with large padlock graphic and overlaid code text

Incident and Breach Management Lifecycle

As well as getting to grips with reporting requirements, companies must understand the incident and data breach lifecycle, and what needs to happen at every stage.

  1. Containment: Isolate affected systems to prevent further damage and verify that no related systems have also been compromised.
  2. Investigation: Determine the scope, origin, and impact of the incident or breach.
  3. Evaluation and Reporting: Assess the severity and report to relevant authorities, such as the ICO.
  4. Risk Assessments and Corrective Action: Identify vulnerabilities and implement measures to mitigate future risks.
  5. Review of Effectiveness: Plan a date to revisit the corrective measures that have been put in place and verify that they have been effective.
  6. Lessons Learned: Document insights to improve future incident response.


Swift containment is critical to prevent the escalation of an incident. This involves isolating affected systems, shutting down compromised accounts, and implementing temporary security measures.

This should also include a review of related systems to ensure that the breach hasn’t affected those systems.

If you have Business Continuity Plans in place these will likely be triggered to ensure that a backup for these systems is put in place whilst they are offline.

At this point it may be unclear whether a compromised system has suffered a personal data breach, however, if this may have occurred you should report this to the ICO within 72 hours.


A thorough investigation is necessary to understand the nature and extent of the incident. Technical experts analyse logs, traces, and other relevant data to identify the entry point and tactics used by the attacker.

The investigation phase can take anywhere from a few hours of days, up to several weeks, to establish exactly what happened. If you haven’t already reported a suspect breach to the ICO after the first few days you should do this now, even if you are not yet completely certain if a personal data breach has occurred yet.

Evaluation and Reporting

Once the incident is contained and investigated, a detailed report is compiled. This report includes information about the incident, systems affected, immediate actions taken, the likely causes of the incident, any data affected and any identified deficiencies or risks.

If a data breach is reported to the ICO then the incident report should include a copy of the ICO report.

Risk Assessments and Corrective Action

Risks and deficiencies identified will require mitigation or remediation to address these concerns. This will involve managing risks in line with the risk management methodology of the organisation and implement corrective actions, such as patching systems, updating security protocols, and providing additional training to staff.

Risks should be evaluated and acted upon in line with defined risk management criteria, risk treatment actions and corrective actions should have defined owners and completion dates.

Review of Effectiveness

After the incident is resolved, it’s crucial to review the effectiveness of the risk treatment and corrective actions that have been implemented. Where these actions are not achieving their objectives then they should be reviewed and corrected to ensure effectiveness.

Lessons Learned

Documenting lessons learned is integral to refining incident response strategies. This information is invaluable for continuously enhancing your organisation’s resilience to future incidents.

Lessons learned will consider aspects such as incident reporting, incident team performance during the incident, communications with stakeholders, document and record keeping, interfaces with other organizational systems and processes.

Any opportunities for improvement should then be integrated into the Incident Management Process.

Preparing For a More Secure Future

Effective incident and data breach management calls for a combination of technical expertise, clear communication, and continuous improvement. By establishing a well-defined incident response framework and remaining compliant with data protection regulations, it is possible to mitigate risks and safeguard sensitive information effectively.

Remember: in the world of cybersecurity, preparedness is the key to resilience. Find out how we can help you to stay protected.

Source: 2023 Cyber Security Breaches Survey

Free Consultation: Manage your Incidents, Risks and Corrective Actions

For more information on how PRISM can be used to manage your Incidents, Risks, Risk Treatment and Corrective Actions, contact our team for a free consultation.

Read more

Blog – The Crucial Role of Auditing in Data Protection Management Systems

Blog – ISO 27001 Steps to Implementation